FTC charges two firms with leaking customer data on P-to-P networks

In a first for the U.S. Federal Trade Commission, the agency has filed charges against two businesses that allegedly allowed consumer personal data to be leaked through P-to-P (peer-to-peer) software installed on their networks.

In complaints released Thursday, the FTC alleged that EPN, a Provo, Utah, debt collection firm doing business as Checknet, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership, exposed the sensitive personal data of thousands of consumers by allowing P-to-P file-sharing software to be installed on their corporate computer systems.

Proposed settlements with the FTC bar the companies from misrepresenting their privacy and security measures, and require the businesses to establish comprehensive information security programs, the FTC said in a press release.

Before the company discovered and disabled the P-to-P software in April 2008, the P-to-P software shared sensitive information, including Social Security numbers, health insurance numbers and medical diagnosis codes, of 3,800 hospital patients with other users of the P-to-P software, the FTC said in its complaint.

The company did not have an appropriate information security plan, the FTC alleged. Checknet also failed to assess risks to the consumer information it stored, did not adequately train employees and did not use reasonable measures to enforce compliance with its security policies, the agency said.

The failure to maintain an adequate cybersecurity program was an unfair business practice that violates U.S. law, the agency said.

Checknet is "eager" to follow all of the FTC guidelines in its settlement with the agency, the company said in a statement. The company "never intended to cause harm," it said. It called the problem a "one-time, isolated incident" that caused no identity theft or fraud, and said it has made significant improvements to its security.

"This was an unfortunate incident that was immediately corrected," Jessica Devenish, CEO of Checknet, said in the statement. "We have never operated out of arrogance or neglect and we will now continue to operate with our clients and their consumers in mind."

The incident has led to "broad introspection" at the company, she added. "This event has strengthened our resolve to look into the 'nooks and crannies' of our operation, find weakness, and make corrections," she said. "While the FTC has placed us under a microscope, it is nothing compared to what we have done already ourselves."

In a separate case, the FTC charged that auto dealer Franklin's Budget Car Sales, also known as Franklin Toyota/Scion, also allowed P-to-P software on its network.

Franklin's privacy policy said the company restricts "nonpublic personal information about you to only those employees who need to know that information." The company also said that it maintained "physical, electronic, and procedural safeguards that comply with federal regulations to guard nonpublic personal information."

The P-to-P software on Franklin's network shared the names, addresses, Social Security numbers, dates of birth and driver's license numbers of 95,000 customers with other P-to-PP-to-P users, the FTC alleged.

Franklin allegedly failed to prevent and detect unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information, the FTC alleged.

Because Franklin offered financial services, the alleged security failures violated the U.S. Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information, the FTC said.

This is the FTC's first action against an auto dealer for GLB violations.

Under a settlement with the FTC, Franklin must maintain a comprehensive information security program and undergo independent data security audits every other year for 20 years.

A representative of Franklin declined to comment on the FTC charges.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.